Fei Protocol Uniswap Price Manipulation

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Fei Protocol

The FEI protocol had a "bonding curve" which provided liquidity for the stablecoin. These funds were stored in a smart contract hot wallet.

An exploit was found which would have allowed a malicious actor to drain the stored funds by manipulating the price with a flash loan.

The exploit was corrected without any loss of user funds.

This is a global/international case not involving a specific country.[1][2][3][4][5][6]

About Fei Protocol

"FEI is a new kind of stablecoin. It is more capital efficient, has a fair distribution, and is fully decentralized." "When the price increases, newly minted FEI can be purchased for ETH, which is scrowed in the protocol bonding curve. Then this ETH was deposited by a keeper in the ETH-FEI Uniswap pair. An attacker could take a flash loan to drive up the ETH-FEI spot price in Uniswap, purchase FEI from the bonding curve, trigger the ETH deposit as liquidity in Uniswap, and finally sell the FEI received at an elevated price."

"When the price of FEI is over $1.01, users can purchase newly minted FEI from the protocol’s bonding curve for ETH to arbitrage the secondary market price down towards $1. This ETH is escrowed in the bonding curve until a keeper allocates it, at which point it is deposited into the ETH-FEI pair at the spot price."

"On May 2, during an internal code review, we identified a critical vulnerability that could have removed ETH from the Protocol Controlled Value. The attack involved manipulating the spot price on the FEI-ETH Uniswap pair, before providing liquidity through the bonding curve. After validating a Proof of Concept (PoC) attack, we immediately paused the bonding curve, which prevented the exploit from being possible, and notified our community publicly on Discord. The following day, we received a report from Immunefi where Alexander Schlindwein had also independently discovered the exploit." "Manipulation of the spot price with a flash loan is the primary vector of the attack."

Steps to reproduce: "(1) Flash borrow ETH. (2) Buy on spot market. (3) Buy on bonding curve and execute bonding curve allocation. (4) Sell FEI from 2 and 3. (5) Profit." "The end result is the spot price of FEI/ETH is lower than at the beginning, essentially arbing by spiking the price of FEI since it uses the spot price when depositing."

"The vulnerability was not exploited and no funds were lost."

"After the fix, the ETH from the bonding curve is sent to the reserve stabilizer rather than the ETH-FEI Uniswap pool. And it won’t mint any liquidity at a price significantly different from the oracle price of ETH." "The solution has 2 parts: (1) Deposit at oracle price not spot price. (2) Restrict allocate() and other potentially risky flows to EOA only."

"OpenZeppelin and Alexander further assisted with the review and validation of the fix. The fix removes the attack vector by sending ETH from the bonding curve to the reserve stabilizer rather than the ETH-FEI Uniswap pool. It also adds additional checks on the pool to ensure that if more funds are added to the pair in the future, it is protected from malicious arbitrage."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Fei Protocol Uniswap Price Manipulation
Date Event Description
May 13th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

No funds were lost.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

There was no loss of user funds.

In general, storage in a smart contract is not as secure as a simpler form of offline multi-sig.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23, 2021)
  2. Fei Bonding Curve Bug Post Mortem (Jun 22, 2021)
  3. Fei Protocol Flashloan Vulnerability Postmortem (Jun 22, 2021)
  4. FEI Post Mortem – OpenZeppelin blog (Jun 22, 2021)
  5. Pre release fix flash attacks by Joeysantoro · Pull Request #81 · fei-protocol/fei-protocol-core · GitHub (Jul 28, 2021)
  6. Fei Protocol (Jul 28, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Fei_Protocol_Uniswap_Price_Manipulation&oldid=4028"